Home > Enterprise >  PHP set field-name with parameter
PHP set field-name with parameter

Time:01-24

in my php-script i am executing on a sql-server. Everything works fine, but: I dont only have variable values, but also variable field-names. Therefore I would like to pass the field-names as a parameter for security-reasons.

the sql would be

 $sql = "UPDATE  STA_Kunden
                SET     ? = ?
                WHERE   (KUN_KundeNo = ?)";

 $params = array($field, $value, $select);

But the field-name can not be a parameter. Therefore if someone would mess around with the field-name a sql-injection would be possible. How can I set this secure?

Thanks Max

CodePudding user response:

You have to whitelist the values of $field and concatenate it into the query:

if (in_array($field, array('allowed_field_1', 'allowed_field_2'))) {
  $sql = "UPDATE STA_Kunden SET " . $field . " = ? WHERE (KUN_KundeNo = ?)";
  $params = array($value, $select);
}

Page link:https//www.codepudding.com/Enterprise/274702.html

Prev:How to count rows and transfer them to separate columns?
Next:TSQL XPath for nodes with different names
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding